ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has two parts: ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud, and ATT&CK for Mobile, which focuses on behavior against mobile devices.
MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.
Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.
Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.
Sub-techniques and procedures describe different things in ATT&CK. Sub-techniques are used to categorize behavior and procedures are used to describe in-the-wild use of techniques. Furthermore, since procedures are specific implementations of techniques and sub-techniques, they may include several additional behaviors in how they are performed. For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering the PowerShell, Process Injection, and Credential Dumping against LSASS behaviors.
Enterprise IT systems covering Windows, macOS, Linux, Network infrastructure devices (Network), and Container technologies (Containers); cloud systems covering Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Office Suite, and Identity Provider; mobile devices covering Android and iOS.
ATT&CK can be used in several ways to help security operations, threat intelligence, and security architecture. See the Get Started page for resources on how to start using ATT&CK. Also check out the Resources section of the website and the blog for related projects and other material.
Bi-annually.
Publicly available threat intelligence and incident reporting is the main source of data in ATT&CK. We take what's available in the public and distill out common TTPs. We also use publicly available research on new techniques that closely align with what adversaries commonly do since new TTPs often get used in the wild quickly. For more information see The Design and Philosophy of ATT&CK.
Check out our contribute page!
Please contact us before spending a lot of time writing up a new technique/group/software since we always have things in the works and don’t want you to duplicate efforts. For any contributions we add, we'll run the final product by you and credit you as a contributor. In particular, we're looking for Mac/Linux contributions.
We try to include most threat reporting but can only get to so much. If you feel information is missing, then help us by contributing to ATT&CK. Reach out to see if we’re already working on the group and review our contribute page for guidance and formatting for group and software submissions.
Yes! Check out this page: ATT&CK Data & Tools.
Follow @MITREattack on Twitter for news and check out our blog for posts about topics related to ATT&CK.
Each model and framework can be used for different purposes. We have documented several use cases where ATT&CK can be used to provide granular detail on adversary behavior. We believe most models and frameworks are complementary to ATT&CK, so you don't have to choose just one.
ATT&CK and the Diamond Model are complementary. ATT&CK documents detailed adversary behavior while the Diamond Model is helpful if you're trying to cluster intrusions. There are cases where they may be used together. For example, ATT&CK-mapped techniques may be a useful source of input into the Diamond Model to analyze adversary capabilities.
ATT&CK and the Cyber Kill Chain are complementary. ATT&CK sits at a lower level of definition to describe adversary behavior than the Cyber Kill Chain. ATT&CK Tactics are unordered and may not all occur in a single intrusion because adversary tactical goals change throughout an operation, whereas the Cyber Kill Chain uses ordered phases to describe high level adversary objectives.
Both MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
You can find downloadable MITRE ATT&CK logos on the Legal & Branding page.
Yes – ATT&CK is open and available to any person or organization for use at no charge. If you decide to use ATT&CK, then follow the Terms of Use. If you have further questions, then please reach out to us at attack@mitre.org.
Remember, you may never use MITRE ATT&CK, MITRE, or ATT&CK in a way that implies an endorsement of a product or service. MITRE does not endorse those organizations, individuals, etc. leveraging MITRE ATT&CK in their work. The inclusion of MITRE ATT&CK does not imply endorsement or support from MITRE.